IPv6 Fragmentation

Kristof Provost kp at FreeBSD.org
Sat Feb 20 12:13:42 UTC 2021 

On 20 Feb 2021, at 5:32, Doug Hardie wrote:
>> On 19 February 2021, at 01:48, Michael Tuexen 
>> <michael.tuexen at lurchi.franken.de> wrote:
>>
>>> On 19. Feb 2021, at 03:29, Doug Hardie <bc979 at lafn.org> wrote:
>>>
>>> I don't know if this is a feature or a bug.  On FreeBSD 9, the 
>>> following ping worked:
>>>
>>> ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
>> I don't have a dc0 interface, but using re0 at one side and bge at 
>> the other, I get
>> with FreeBSD CURRENT:
>> tuexen at cirrus:~ % ping6 -s 5000 -b 6000 fe80::2e09:4dff:fe00:c00%re0
>> PING6(5048=40+8+5000 bytes) fe80::aaa1:59ff:fe0c:da92%re0 --> 
>> fe80::2e09:4dff:fe00:c00%re0
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=0 hlim=255 
>> time=0.393 ms
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=1 hlim=255 
>> time=0.419 ms
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=2 hlim=255 
>> time=0.354 ms
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=3 hlim=255 
>> time=0.446 ms
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=4 hlim=255 
>> time=0.421 ms
>> 5008 bytes from fe80::2e09:4dff:fe00:c00%re0, icmp_seq=5 hlim=255 
>> time=0.372 ms
>> ^C
>> --- fe80::2e09:4dff:fe00:c00%re0 ping6 statistics ---
>> 6 packets transmitted, 6 packets received, 0.0% packet loss
>> round-trip min/avg/max/std-dev = 0.354/0.401/0.446/0.031 ms
>>
>> Best regards
>> Michael
>>>
>>> It had to be stopped, but it returned the number of ping responses 
>>> received along with statistics.
>>>
>>> With FreeBSD 12.2 and 13.0-BETA2, it returns 100% packet loss.  
>>> tcpdump shows that it properly fragments the data, sends it, the 
>>> other end receives it and sends back the ACKs.  The ACKs are 
>>> received, but somehow ping doesn't find out that the packets were 
>>> received.
>>>
>>> Without the -s and -b arguments, it works and you get 100% packets 
>>> received.
>
> I found the problem.  pf does not handle IPv6 packets that are 
> fragmented the obvious way.  I suspect it is because icmp header is 
> only in the first fragment.  I had to reassemble fragments in pf in 
> order to make the large pings work.
>
If you don’t have `scrub fragment reassemble` set then you have to 
include something like `pass log inet6 proto ipv6-frag all` to pass 
fragmented packets (assuming you block by default).

You really, really want `scrub fragment reassemble` because otherwise 
your firewall can be trivially bypassed, but you need one of the two for 
fragmented packets to work.

Best regards,
Kristof

More information about the freebsd-net mailing list